Recently I have project in which a directory listing is enabled, due to which some scripts can be seen by outside world. I asked website administrator and he said it's not his responsibility, its the programmer's job. I also asked programmer about this and he said that the script is actually a cron job, and according to him, he has to test the script on webserver as there is a difference between development and production environment, so he placed there to test that. According to him, there was no direct link as he assumed directory listing is disabled and taken care by administrator.

Users are the root of all evil, only if you give them permissions.
–
JeffOMar 14 '12 at 13:47

2

When your webserver is hacked your web admin and everyone else are going to have a lot more work to do than fixing one permission issue. Go get one of the many web server vulnerability scanners and run a scan. Use the report as a starting point for a serious security discussion.
–
jamesMar 14 '12 at 14:00

is that an instance of the "it's not my job" mentality, or just a bad case of "we are both so completely clueless about our craft, we'd better play distraction tactics and start arguing"?
–
ZJRMar 14 '12 at 19:35

10 Answers
10

It's duty and responsibility of both

The basic problems with security tend to have something to do with comfort and overconfidence (e.g. security through obscurity). If you know a way to cover a security hole, do it, there's no such thing as "too much security".

...it's not that hard

For example, the Joomla! project team places an empty index.html file on each directory to prevent directory listing and frameworks like Symfony and Ruby on Rails have a single public directory to which you must link on the public end of the server account.

It depends on your organization's security policies. At some companies, usually smaller ones, I had to do everything. At others, I wasn't even allowed access to the production web servers and the admins had to install my apps and do all the server configuration, sometimes while I looked over their shoulder to make sure everything is done correctly.

It's the programmers duty to fix anything that affects their application. If directory listing is a security concern for your application, then take steps for correct that. Good applications must not rely too much on the reliability of administrators.

if server administrator will copy directories with 666 permission will it be programmers work to set it to proper? Security is work for all, not only programmers or only admins. It's enough to have hole in one place to fail and all who works on that application should feel responsible for that.
–
DainiusMar 14 '12 at 10:18

1

@Dainius I'm not arguing against a joint effort, I'm simply pointing out that the bulk of the burden is on the programmer to be beware of simpleton administrators, and take the necessary steps to protect their applications.
–
Baker KawesaMar 14 '12 at 10:29

"programmers duty to fix anything that affects their application" programmer can't fix everything that affects their program. File listing is configurable in server config file, so who responsible for this, should do that. But for example sql injections is independent from server configuration so this is programmer work.
–
DainiusMar 14 '12 at 10:50

@Dainius By "fix" I don't necessary mean setting permissions or modifying the server configuration autonomously, since that in itself would pose a security threat. But an application should know it's system requirements, and should to the greatest degree possible confirm that they are met before assuming any normal operations. If something bad is detected, it should nag the administrator about it, who should then proceed to fix it.
–
Baker KawesaMar 14 '12 at 11:18

Simply, it is a programmer's job. Can a programmer upload his application with no security & testing, then sit back for a system admin to add Security for him? Certainly not. A professional programmer won't do this. A professional programmer will take the responsibility of making his/her code secure.

The same could be said of a professional sys admin. Why would he sit back and wait for someone else to secure the boxes he is responsible for?
–
stonemetalMar 15 '12 at 14:34

@stonemetal The sys admin secures the box much like perimeter patrol guards a VIP's house, while the programmer secures the app everywhere much like a bullet catcher guards a VIP. Ultimately, if an app "catches a bullet", it's the programmer who's has done most of the failing, a sys admin can't be expected to know exactly what degree of security an app needs to function, since their duty is to the box. Some apps find directory listing useful, while others are threatened by it. It's the programmers duty to have it turned off (by nagging the sys admin if that's the only way).
–
Baker KawesaMar 16 '12 at 0:39

You tried to resolve it yourselves, but here is an impasse. The person in charge needs to: step in, make a decision, and enforce the decision.

There should have been some specification that this was needed or not needed (This may be based on the person in charge's decision). This is a good candidate to put on a website security checklist. The admin should know whether or not this is set correct.

It's programmer duty to protect his code and application, if he has the control to upload code and able to use htaccess then why not use index there. Often cpanel and other web servers has directory indexes enabled, no good programmer can leave important docs, zips and scripts in document root.

Both. It is a problem that has to be solved. If the programmer can do it, why not do it? If the admin can do it, why not do it? If the programmer cannot, it's obviously the responsibility of the admin, but the requirement should (probably) have been documented in the release docs.

As always with down-votes, it's probably a good idea to leave a comment saying why you're down-voting an answer. It is, to me at least, no obvious reason to down-vote this (apart from possibly being on the brief side).
–
VatineMar 18 '12 at 9:10

...and now let's all enroll in a philosophy degree, so that, in 2 to 3 years, we can split hairs about the real boundaries of this elusive myth called "web application".
–
ZJRMar 14 '12 at 19:37

Application = folder where you website is sitting. I assume there can be a number of sub domains pointing to different locations (multiple applications). Each may be programmed by different developers. Even one domain can be maintained by number of developers. The policies should come down from the IT Lead/Manager/Project Manager though. It's who job it is to implement it.
–
NonameMar 14 '12 at 20:06